VM Settings
Go to Scan Policy and Object > VM Settings to view all installed VM images and configure the number of instances of each image.
The OT Malware scans for presence of OT related applications and networking protocols. The LinuxOT is a Linux VM to simulate the OT industry deployment. The VM supports the Siemens application and simulates Modbus, SNMP, IPMI, FTP, and TFTP protocols. The Sandbox Threat Intelligence subscription already includes the Industrial Security subscription which allows you to enable the simulation. To scan files, submit them through any Windows VM. If it is an OT Malware, the LinuxOT will capture that lateral movement behavior and access to those application and protocols.
VM images are grouped into the following categories:
Default VMs |
Basic set of images installed on FortiSandbox by default. The FSA-AWS models are the Windows VMs installed on AWS. |
Optional VMs |
Optional VM images published by Fortinet. |
Customized VMs |
User-created images uploaded to FortiSandbox. |
Remote MACOSX |
Fortinet supports MACOSX remote VMs. You can purchase subscription services from Fortinet to reserve clone numbers in the FortiSandbox Cloud. There is no trial license for MACOSX VM. In cluster mode for MACOSX remote VMs, all cluster nodes share a collected pool of reserved clones from each unit. This means that even if a node has no remote VM contract, it can still upload files to the cloud for scanning. For the cluster as a whole, the number of files being scanned on the cloud cannot exceed the total number of reserved clone numbers at any given moment. |
Remote Windows |
Fortinet supports WindowsCloudVM as remote VMs. You can purchase subscription services from Fortinet to reserve clone numbers in the FortiSandbox Cloud. Besides normal use of WindowsCloudVM, overflow mode is supported. All activated local windows can be configured to overflow to WindowsCloudVM. When Local VM to use overflow is selected, jobs that have utilized all local clones for selected VMs will be scanned to WindowsCloudVM instead of waiting for another local clone. In a cluster, each unit in the cluster can purchase WindowscloudVM seat counts. The cloud VM seats are local to each unit and is not shared. Configuration to use overflow mode is also local to each unit. |
Remote VMs |
Fortinet supports MACOSX and WindowsCloudVM as remote VMs. You can purchase subscription services from Fortinet to reserve clone numbers in the FortiSandbox Cloud. There is no trial license for MACOSX VM. In cluster mode for MACOSX remote VMs, all cluster nodes share a collected pool of reserved clones from each unit. This means that even if a node has no remote VM contract, it can still upload files to the cloud for scanning. For the cluster as a whole, the number of files being scanned on the cloud cannot exceed the total number of reserved clone numbers at any given moment. In cluster mode for WindowsCloudVM, VM00 units in the cluster can purchase WindowscloudVM seat counts. These cloud VM clones are local to the VM00 unit and are not shared. |
Simulator VMs |
Fortinet provides LinuxOT VM. For information, seeOT Simulation . |
When Fortinet publishes a new version of VM image on its image server, the image appears in the Optional VMs group with a download button in the Status column. Click the button to start downloading. After downloading all the images, click the Ready to Install button to install all downloaded images. No reboot is necessary for installation.
After an image is installed, its license key is checked. If no keys are available, the image status is installed but disabled until the key is imported and the image is activated. After the image is activated, you can start using it by setting its clone number to be greater than 0. Then the image status changes to activated.
The following options are available:
Edit Clone Number |
Edit the selected entry. Click the green checkmark to save the new number and then click Apply. |
Delete VM |
Delete the selected entry. VMs deleted in the GUI are deleted when the system reboots. You cannot delete the default set of four Windows VMs. |
Undelete VM |
After deleting a VM, you can use Undelete the VM to recover it. After the system reboots and the delete action is completed, you cannot undelete a VM. |
VM Screenshot |
Take a screenshot of a running VM and view the filename the VM is scanning. This is only available for a admin users. |
The following information is displayed:
Enabled VM Types |
The maximum number of VM types that can concurrently run. The maximum is four on models other than FSA-3000E. The maximum is six on FSA-3000E. |
Keys |
Maximum number of keys including used key numbers and installed key numbers. |
Clone Number |
Maximum clone number and the number of the installed Windows license. For example:
|
Name |
Name of the VM image. The name is unique in the system. If you upload a new VM image of the same name, the current installation is replaced. To see the VM’s usage chart, click the Chart icon beside the Name. |
Status |
VM image status such as:
|
Enabled |
If an image's clone number is 0, it is disabled. Otherwise it is enabled. |
Clone# |
VM clone number. Double-click the number to edit it and then click the green checkmark to save the new number. Click Apply to apply the change. The VM system re-initializes. The total clone number of all VM images cannot exceed the number of installed Windows licenses. For example, for FSA-2000E, the maximum clone number is 24. We recommend applying more than 8+clone_number*3 of memory on your FSA unit. |
Load# |
The used VM clone number. For example, if a cluster primary node is set to use 50% of sandboxing scan power, the load # is half of clone #. |
Browser |
Set the default browser in Local Windows and Custom VMs. The default browser is Microsoft Internet Explorer. |
Extensions |
List of all the file types the VM image is associated with. It means files of these types will be scanned by this VM if these types are determined to enter the job queue. The system decides if they need to be sandboxed. If the sandbox prefiltering is turned off for a file type, it will be scanned inside each associated VM type. If sandbox prefiltering is turned on, files of this file type will be statically scanned first by an advanced analytic engine and only suspicious ones will be scanned inside associated VM types. You can define file type and VM association in Scan Policy and Object > Scan Profile. You can double-click the value to access the Scan Profile page to edit the list. When Windows Cloud VM is used in normal mode, file extensions can be modified and displayed. If it is used in overflow mode, only selected local windows VMs will be displayed. |
Enabled clone numbers are checked against allocated CPU and memory resources. If there are not enough resources, a warning message appears and the setting is denied. |